Some healthcare organizations will store data once considered off limits for the cloud with Amazon Web Services now that the provider is willing to sign formal Business Associate Agreements under HIPAA.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) revised the Health Insurance Portability and Accountability Act (HIPAA) to encompass "business associates" of healthcare organizations that might handle patient data. A contract called a Business Associate Agreement (BAA) is generally used to ensure compliance with this provision.

As of this week, healthcare organizations are expected to comply with a new omnibus ruling that states business associates of entities already regulated under HIPAA are directly liable for compliance with HIPAA rules, with penalties of up to $1.5 million for any breaches of privacy.

Amazon Web Services (AWS) has been marketed as a good fit for HIPPA cloud workloads over the last year, but it wasn't until June that it began signing BAAs for select organizations, according to Glenn Grant, CEO of G2 Technology Group Inc., an AWS advanced partner based in Boston.

In addition, all files containing private health information should be encrypted, according to an AWS whitepaper on HIPAA compliance. Customers are also advised to use Elastic Block Store (EBS) volumes and take snapshots replicated to different availability zones to back up their data.

Some AWS customers say they have also opted to use AWS Direct Connect to keep traffic containing sensitive data off the public Internet.

With BAAs and partners' help, healthcare orgs embrace AWS

Two of G2's clients in the Boston area, prescription management startup ZappRX Inc. and genome sequencing firm Courtagen Life Sciences, Inc., have signed on to use AWS' Elastic Compute Cloud (EC2) under G2's BAA.

Asked if clients have any objections to ZappRX using AWS, CTO Matthew Graziano said Amazon has pushed hard to become more adept with HIPAA compliance, so it hasn't been an issue.

Certain other precautions are also necessary when using AWS for HIPAA-regulated data. ZappRX, for example, also uses AES 256-bit encryption on all data it passes to Amazon. And Courtagen contracts with three other cloud partners -- Level 3 Communications LLC for an Ethernet Private Line (EPL) directly connected to EC2; ERP Software as a Service (SaaS) vendor NetSuite Inc.; and Security as a Service vendor CipherCloud Inc.,-- to secure HIPAA-regulated data throughout its genome sequencing-and-analysis process.

Identifying information is removed from genome data, sent over the EPL, and processed using EC2. Results from this processing are sent to NetSuite via a CipherCloud gateway, which encrypts the data using tokens generated on Courtagen's premises, so NetSuite IT teams can't view any of the data in the databases they manage.

Why go through all these machinations rather than keep HIPAA data in-house?

The costs and hassles associated with public cloud pale in comparison with owning and running a private data center, said Courtagen's president and co-founder Brendan McKernan.

"It's one of the biggest cost drivers in running a clinical genomics company -- management and use of big data," McKernan said. "We had to find a partner that would scale with the business, require very little capital investment on our side and have all of the proper security controls in place to protect patient data."

While AWS signing BAAs may encourage adoption of their HIPPA cloud by startups and emerging companies in the healthcare market, larger healthcare companies that already own data centers aren't convinced.

Three years ago, when AmerisourceBergen Corp. oncology software subsidiary IntrinsiQ LLC considered options for modernizing its application, AWS wasn't signing BAAs. Even if it were, the company would have stuck with a private cloud inside AmerisourceBergen's existing data center, according to IntrinsiQ's VP of technology, Steve Hamann.

"We know where our data center is, it's within our control, within our security, and that seemed to be a stronger story with our marketplace when we go out and try to sell to doctors," Hamann said.

"Not to say our own data center doesn't go down," Hamann added. "But the press is about the cloud vendors and how critical applications are impacted when they have an outage."

1 comment

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy